這篇文章主要介紹“kubernetes證書過期怎么處理”,在日常操作中,相信很多人在kubernetes證書過期怎么處理問題上存在疑惑,小編查閱了各式資料,整理出簡單好用的操作方法,希望對大家解答”kubernetes證書過期怎么處理”的疑惑有所幫助!接下來,請跟著小編一起來學習吧!
創(chuàng)新互聯(lián)自2013年創(chuàng)立以來,先為長順等服務建站,長順等地企業(yè),進行企業(yè)商務咨詢服務。為長順企業(yè)網(wǎng)站制作PC+手機+微官網(wǎng)三網(wǎng)同步一站式服務解決您的所有建站問題。
# kubectl get pod Unable to connect to the server: x509: certificate has expired or is not yet valid
# cd /etc/etcd/ssl/ # openssl x509 -in etcd.pem -noout -text |grep ' Not ' Not Before: Jul 5 07:57:00 2018 GMT Not After : Jul 5 07:57:00 2019 GMT
默認為8760h也就是一年
# vim ca-config.json { "signing": { "default": { "expiry": "8760h" }, "profiles": { "kubernetes-Soulmate": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "8760h" } } } }
修改為10年
{ "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes-Soulmate": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "87600h" } } } }
# mv /etc/etcd/ssl /etc/etcd/ssl_bak # mkdir -p /etc/etcd/ssl
# cfssl gencert -ca=ca.pem \ -ca-key=ca-key.pem \ -config=ca-config.json \ -profile=kubernetes-Soulmate etcd-csr.json | cfssljson -bare etcd 2019/07/24 15:54:51 [INFO] generate received request 2019/07/24 15:54:51 [INFO] received CSR 2019/07/24 15:54:51 [INFO] generating key: rsa-2048 2019/07/24 15:54:51 [INFO] encoded CSR 2019/07/24 15:54:51 [INFO] signed certificate with serial number 129040491859111596768279827567523252619269640219 2019/07/24 15:54:51 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements"). # cp etcd.pem etcd-key.pem ca.pem /etc/etcd/ssl/
重啟服務
# systemctl restart etcd
拷貝至其它etcd節(jié)點
# scp -r /etc/etcd/ssl/*.pem k8s2:/etc/etcd/ssl/ # scp -r /etc/etcd/ssl/*.pem k8s3:/etc/etcd/ssl/
# openssl x509 -in etcd.pem -noout -text |grep ' Not ' Not Before: Jul 24 07:50:00 2019 GMT Not After : Jul 21 07:50:00 2029 GMT
# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text |grep ' Not ' Not Before: Jul 6 03:26:53 2018 GMT Not After : Jul 6 03:26:53 2019 GMT
# cd /etc/kubernetes # mkdir pki_bak # mkdir conf_bak # mv pki/apiserver* pki_bak/ # mv pki/front-proxy-client.* pki_bak/ # mv admin.conf kubelet.conf controller-manager.conf scheduler.conf conf_bak/
# cat config.yaml apiVersion: kubeadm.k8s.io/v1alpha1 kind: MasterConfiguration kubernetesVersion: 1.10.4 etcd: endpoints: - https://172.16.40.111:2379 - https://172.16.40.112:2379 - https://172.16.40.121:2379 caFile: /etc/etcd/ssl/ca.pem certFile: /etc/etcd/ssl/etcd.pem keyFile: /etc/etcd/ssl/etcd-key.pem dataDir: /var/lib/etcd networking: podSubnet: 192.168.0.0/16 api: advertiseAddress: "172.16.40.10" controlPlaneEndpoint: "172.16.40.10" token: "b99a00.a144ef80536d4345" tokenTTL: "0s" apiServerCertSANs: - k8s1 - k8s2 - k8s3 - 172.16.40.111 - 172.16.40.112 - 172.16.40.121 - 172.16.40.10 featureGates: CoreDNS: true # kubeadm alpha phase certs all --config=config.yaml [certificates] Using the existing ca certificate and key. [certificates] Generated apiserver certificate and key. [certificates] apiserver serving cert is signed for DNS names [k8s1 kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local 172.16.40.10 k8s1 k8s2 k8s3] and IPs [10.96.0.1 172.16.40.10 172.16.40.111 172.16.40.112 172.16.40.121 172.16.40.14 172.16.40.10] [certificates] Generated apiserver-kubelet-client certificate and key. [certificates] Using the existing sa key. [certificates] Using the existing front-proxy-ca certificate and key. [certificates] Generated front-proxy-client certificate and key. [certificates] Valid certificates and keys now exist in "/etc/kubernetes/pki"
# kubeadm alpha phase kubeconfig all --config=config.yaml [kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/admin.conf" [kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/kubelet.conf" [kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/controller-manager.conf" [kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/scheduler.conf"
# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config # chown $(id -u):$(id -g) $HOME/.kube/config
# scp -r /etc/kubernetes/pki k8s2:/etc/kubernetes/ # scp -r /etc/kubernetes/pki k8s3:/etc/kubernetes/ # scp $HOME/.kube/config k8s2:$HOME/.kube/config # scp $HOME/.kube/config k8s3:$HOME/.kube/config
到此,關于“kubernetes證書過期怎么處理”的學習就結束了,希望能夠解決大家的疑惑。理論與實踐的搭配能更好的幫助大家學習,快去試試吧!若想繼續(xù)學習更多相關知識,請繼續(xù)關注創(chuàng)新互聯(lián)網(wǎng)站,小編會繼續(xù)努力為大家?guī)砀鄬嵱玫奈恼拢?/p>
當前文章:kubernetes證書過期怎么處理
瀏覽路徑:http://jinyejixie.com/article6/pdciig.html
成都網(wǎng)站建設公司_創(chuàng)新互聯(lián),為您提供網(wǎng)站營銷、用戶體驗、外貿(mào)網(wǎng)站建設、全網(wǎng)營銷推廣、商城網(wǎng)站、網(wǎng)站排名
聲明:本網(wǎng)站發(fā)布的內(nèi)容(圖片、視頻和文字)以用戶投稿、用戶轉載內(nèi)容為主,如果涉及侵權請盡快告知,我們將會在第一時間刪除。文章觀點不代表本網(wǎng)站立場,如需處理請聯(lián)系客服。電話:028-86922220;郵箱:631063699@qq.com。內(nèi)容未經(jīng)允許不得轉載,或轉載時需注明來源: 創(chuàng)新互聯(lián)